Privacy after Puttaswamy: Constitutional Boundaries of State Data Collection under the Digital Personal Data Protection Act, 2023

# INTRODUCTION ## Background and Context The rapid digitisation of governance has fundamentally altered the relationship between the State and the individual. Governments increasingly rely on large-scale data collection, algorithmic decision-making, and digital platforms to deliver welfare, regulate populations, and maintain public order. While these developments promise efficiency and inclusivity, they simultaneously intensify concerns relating to privacy, surveillance, and misuse of personal data. In India, these concerns have acquired particular constitutional salience due to the scale at which the State collects and processes personal data across sectors such as welfare distribution, taxation, health, education, and law enforcement. Historically, privacy in India did not enjoy explicit constitutional recognition. For decades, judicial discourse treated privacy as an incidental aspect of personal liberty, vulnerable to competing State interests. This position became increasingly untenable in the digital age, where informational privacy control over personal data emerged as central to individual autonomy and dignity. The exponential growth of digital governance infrastructures, including biometric identification systems and integrated databases, exposed citizens to risks of profiling, exclusion, and pervasive surveillance. These developments catalysed both judicial and scholarly reassessment of privacy as a constitutional value. The Supreme Court’s decision in *Justice K.S. Puttaswamy (Retd.) v. Union of India* decisively transformed this landscape by recognising privacy as a fundamental right under Article 21 of the Constitution. The Court conceptualised privacy not merely as freedom from intrusion, but as a condition necessary for the exercise of autonomy, dignity, and democratic participation. Importantly, it articulated a structured proportionality test to govern State intrusions into privacy, thereby establishing constitutional limits on data collection and surveillance. Against this constitutional backdrop, the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant legislative milestone. The Act seeks to regulate personal data processing through a consent-based framework, delineating rights of data principals and obligations of data fiduciaries. However, the legislative history reveals a gradual shift away from the rights-centric approach recommended by earlier expert committees, particularly with respect to State accountability. The DPDP Act confers wide exemptions upon the State, permitting departures from core data protection principles on broadly framed grounds such as sovereignty, public order, and national security. This convergence of expansive State data practices and diluted statutory safeguards raises pressing constitutional questions. The challenge is no longer whether privacy is a fundamental right, but whether contemporary legislative frameworks meaningfully operationalise the constitutional standards laid down by the judiciary. ## Research Problem and Objectives The central research problem addressed in this paper is the constitutional ambiguity surrounding State exemptions under the Digital Personal Data Protection Act, 2023. While the Act strengthens data protection obligations for private entities, it simultaneously accords the executive significant discretion to exempt State agencies from key safeguards. This asymmetry creates tension between the constitutional mandate of privacy protection articulated in *Puttaswamy* and the statutory architecture governing State data collection. The ambiguity is twofold. First, the grounds for State exemption under the Act are framed in broad and indeterminate terms, raising concerns of overbreadth and arbitrariness. Secondly, the Act provides limited procedural safeguards or oversight mechanisms to ensure that State data processing satisfies the proportionality, necessity, and legality requirements mandated by constitutional jurisprudence. This raises the risk that privacy protections may be rendered illusory precisely in contexts where individuals are most vulnerable to coercive State power. In this context, the paper is guided by the following research questions: 1. Do the exemption provisions of the DPDP Act, 2023 conform to the constitutional standards established in *Puttaswamy*? 2. How does Indian law on State data collection compare with constitutional and statutory safeguards in other jurisdictions? 3. What are the implications of broad State exemptions for constitutional governance and individual rights? The primary objectives of this study are threefold. First, it aims to critically analyse the DPDP Act’s treatment of State data collection through the lens of constitutional privacy jurisprudence. Secondly, it seeks to situate Indian law within a comparative framework to identify normative benchmarks and best practices. Finally, the paper aspires to contribute to ongoing legal discourse by proposing principled approaches for reconciling data-driven governance with constitutional accountability. ## Scope and Methodology The scope of this paper is confined to the constitutional dimensions of State data collection under the Digital Personal Data Protection Act, 2023. It does not undertake an empirical assessment of data practices, nor does it examine private-sector compliance in detail, except where relevant for comparative analysis. Methodologically, the study adopts a doctrinal approach, analysing constitutional provisions, Supreme Court jurisprudence, and statutory text to assess the compatibility of the DPDP Act with established privacy standards. This is complemented by a comparative constitutional analysis, drawing insights from data protection regimes in jurisdictions such as the European Union, the United Kingdom, and the United States, where State surveillance is subject to defined legal and institutional constraints. Through this combined approach, the paper seeks to evaluate whether India’s emerging data protection framework adequately reflects constitutional commitments in the digital age. # THE CONSTITUTIONAL FOUNDATIONS OF PRIVACY IN INDIA ## Pre-*Puttaswamy* Jurisprudence Prior to 2017, Indian constitutional jurisprudence exhibited marked hesitation in recognising privacy as an independent fundamental right. Early decisions of the Supreme Court reflected a formalist approach, treating privacy as a derivative interest subsumed within personal liberty rather than as a constitutionally entrenched guarantee. In *M.P. Sharma v. Satish Chandra*, the Court rejected the existence of a right to privacy, holding that the Constitution did not expressly protect it and declining to read such a right into Article 20(3) or Article 21. This position was reaffirmed in *Kharak Singh v. State of Uttar Pradesh*, where the majority invalidated domiciliary visits as unconstitutional but simultaneously denied that privacy constituted a fundamental right. Despite these categorical denials, judicial reasoning during this period was not entirely consistent. A series of subsequent judgments implicitly acknowledged privacy interests, particularly in contexts involving bodily integrity, family life, and personal choices. In *Gobind v. State of Madhya Pradesh*, the Court cautiously suggested that privacy could be derived from Articles 19 and 21, though it refrained from articulating its contours and subjected it to broad State restrictions. Similarly, cases relating to telephone tapping, medical confidentiality, and reproductive autonomy recognised privacy concerns without elevating them to the status of a standalone right. This fragmented recognition resulted in doctrinal uncertainty. Privacy protection depended largely on judicial discretion and contextual balancing rather than on principled constitutional standards. The absence of a clear test for evaluating State intrusions enabled expansive executive practices, particularly in the domains of surveillance and data collection. As digital technologies proliferated, this ambiguity became increasingly untenable. Large-scale databases, biometric identification, and electronic surveillance exposed individuals to pervasive monitoring without corresponding constitutional safeguards. The pre-*Puttaswamy* jurisprudence, characterised by reluctance and inconsistency, thus laid the groundwork for a fundamental re-examination of privacy in the digital age. ## Justice K.S. Puttaswamy v. Union of India The Supreme Court’s unanimous decision in *Justice K.S. Puttaswamy (Retd.) v. Union of India* constitutes a decisive break from earlier jurisprudence and represents a transformative moment in Indian constitutional law. Convened as a nine-judge bench to resolve conflicting precedents, the Court unequivocally held that the right to privacy is a fundamental right protected under Article 21 and other freedoms guaranteed by Part III of the Constitution. In doing so, it expressly overruled *M.P. Sharma* and *Kharak Singh*, thereby resolving decades of doctrinal ambiguity. A defining feature of *Puttaswamy* is its expansive conception of privacy. The Court rejected narrow understandings limited to physical seclusion and instead articulated privacy as encompassing decisional autonomy, informational self-determination, and control over personal choices. Privacy was situated at the intersection of liberty, dignity, and equality, with several judges emphasising that dignity constitutes the constitutional foundation of all fundamental rights. This normative framing elevated privacy from a defensive right against intrusion to a positive condition enabling individual self-development and democratic participation. Of particular relevance to data protection is the Court’s recognition of informational privacy. The judgments acknowledged that in an era of digitisation, personal data constitutes an extension of the individual’s personality and autonomy. The aggregation and processing of data by the State, even when ostensibly benign, were recognised as capable of producing chilling effects, profiling, and exclusion. Importantly, the Court clarified that harm to privacy does not depend solely on misuse of data; the very act of excessive or unjustified collection can constitute a constitutional injury. The *Puttaswamy* decision also redefined the relationship between the individual and the State. Rather than treating privacy as a concession subject to executive convenience, the Court affirmed that any State intrusion must satisfy constitutionally prescribed limits. National security, public order, and welfare objectives were acknowledged as legitimate State interests, but the Court rejected the notion that these interests could justify unbounded discretion. Instead, it insisted on legality, necessity, and proportionality as conditions precedent to any invasion of privacy. Equally significant is the judgment’s forward-looking orientation. The Court explicitly called for a robust data protection framework that aligns statutory regulation with constitutional values. This articulation provided the normative blueprint for subsequent legislative action, including the enactment of the Digital Personal Data Protection Act, 2023. However, as subsequent scholarship notes, the transformative promise of *Puttaswamy* depends not merely on recognition of privacy, but on faithful implementation through legislation and institutional design. ## The Proportionality Doctrine Central to the constitutionalisation of privacy in *Puttaswamy* is the adoption of the proportionality doctrine as the governing standard for assessing State intrusions. Drawing upon comparative constitutional jurisprudence, the Court articulated a four-fold test that any restriction on privacy must satisfy: (i) legality, requiring the existence of law; (ii) a legitimate State aim; (iii) necessity, meaning the measure must be rationally connected to the objective and be the least restrictive alternative; and (iv) proportionality stricto sensu, involving a balancing of the extent of infringement against the importance of the objective. This structured inquiry marked a departure from earlier ad hoc balancing exercises. By insisting on necessity and minimal impairment, the Court imposed substantive constraints on legislative and executive power. Particularly in the context of data collection, the proportionality test requires the State to justify not only the purpose of data processing but also its scope, duration, and safeguards. Broad or indeterminate authorisations fail this test because they permit excessive intrusion without demonstrable necessity. The constitutional significance of proportionality lies in its role as a rule-of-law mechanism. It transforms privacy adjudication from a discretionary exercise into a principled evaluation grounded in reasonableness and accountability. Moreover, it aligns Indian constitutional law with global standards, particularly those developed by the European Court of Human Rights and constitutional courts in other democracies. In the context of the Digital Personal Data Protection Act, 2023, the proportionality doctrine serves as the primary constitutional benchmark. Any statutory exemption allowing State deviation from data protection principles must be assessed against this framework. Where legislation grants sweeping discretion without adequate safeguards or oversight, it risks violating the proportionality standard articulated in *Puttaswamy*. Thus, proportionality operates not merely as a doctrinal tool but as a substantive guarantee ensuring that privacy remains a meaningful constraint on State power in the digital era. # STATE DATA COLLECTION AND CONSTITUTIONAL LIMITS ## Nature and Scope of State Data Collection State data collection in contemporary India operates across multiple domains and employs diverse technological architectures. At its core, such collection serves legitimate governmental objectives maintaining public order, delivering welfare, and enabling efficient administration. However, the scale, granularity, and permanence of digital data have qualitatively transformed State power, necessitating renewed constitutional scrutiny. **Surveillance** constitutes the most intrusive form of State data collection. Traditional targeted surveillance has increasingly been supplemented by digital interception, metadata analysis, and automated monitoring tools. Advances in communications technology enable the State to collect and retain vast quantities of information about individuals’ movements, communications, and associations, often without their knowledge \[23\]. Even where surveillance is justified on grounds of security or crime prevention, the absence of narrow tailoring and independent oversight raises concerns under the right to privacy recognised in *Puttaswamy*. **Welfare databases** represent another significant site of State data accumulation. Programmes aimed at financial inclusion, food security, healthcare delivery, and social protection rely on integrated databases containing biometric and demographic information. While such systems are often defended as instruments of efficiency and inclusion, scholarship highlights their coercive character: individuals are compelled to part with personal data to access basic entitlements. This asymmetry undermines the voluntariness of consent and heightens the risk of exclusion, profiling, and data misuse, particularly for marginalised populations. **Digital governance tools**, including e-governance platforms, data analytics, and algorithmic decision-making systems, further expand the scope of State data processing. Predictive policing tools, automated eligibility determinations, and real-time data dashboards exemplify the State’s growing reliance on data-driven governance. These tools blur the line between administrative convenience and constitutional intrusion, as decisions affecting rights and benefits are increasingly mediated through opaque technological systems. Collectively, these practices demonstrate that State data collection is no longer episodic or limited; it is systemic and continuous. This transformation amplifies constitutional stakes, as the aggregation and interlinking of datasets enable comprehensive profiling of individuals. The nature and scope of State data collection thus demand robust constitutional limits grounded in legality, necessity, and proportionality. ## Risks of Unchecked Executive Power The expansion of State data collection, when coupled with weak legal constraints, poses serious risks to constitutional governance. Chief among these is the emergence of **mass surveillance**, characterised by indiscriminate data gathering rather than targeted monitoring based on suspicion. Mass surveillance undermines the core premise of the right to privacy by treating entire populations as objects of scrutiny. Courts and scholars alike have warned that such practices produce chilling effects, discouraging free expression, association, and dissent values central to a democratic society. A closely related danger is **function creep**, whereby data collected for one purpose is repurposed for unrelated objectives. In the absence of strict purpose limitation and deletion norms, welfare databases may be accessed by law enforcement agencies, or administrative datasets may be leveraged for surveillance and profiling. Function creep erodes trust in public institutions and violates the principle that State power must be exercised only for clearly defined purposes. From a constitutional perspective, it offends the proportionality requirement by extending intrusion beyond what was initially justified. Unchecked executive discretion in data governance also contributes to **democratic erosion**. Data-driven governance concentrates power within the executive branch, often bypassing legislative deliberation and judicial oversight. Broad statutory exemptions and delegated rule-making authority enable executive agencies to determine the scope, duration, and safeguards of data processing with minimal accountability. This concentration of power weakens the separation of powers and diminishes Parliament’s role in defining the limits of State surveillance. Moreover, excessive data collection alters the citizen–State relationship. When individuals are persistently monitored or rendered legible through data, they are less likely to exercise political freedoms or challenge authority. Scholars describe this as the “normalisation of surveillance,” wherein extraordinary measures become routine administrative practices . Such normalisation risks transforming privacy from a constitutional right into a conditional privilege contingent on executive tolerance. The constitutional implications of these risks are profound. *Puttaswamy* emphasised that privacy operates as a structural restraint on State power, not merely an individual interest \[32\]. Therefore, legislative frameworks that permit expansive data collection without stringent safeguards undermine the constitutional architecture itself. Judicial review remains a critical corrective, but courts cannot substitute for comprehensive statutory protections. In this context, constitutional limits on State data collection must address both substantive and procedural dimensions. Substantively, laws must narrowly define permissible objectives and restrict data collection to what is strictly necessary. Procedurally, independent oversight, transparency, and effective remedies are essential to prevent abuse. Without such limits, the expansion of State data practices risks entrenching executive dominance at the expense of individual liberty and democratic accountability. # THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 ## Objectives and Structural Framework The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s first comprehensive statutory framework dedicated exclusively to the regulation of personal data processing. Enacted in the wake of *Justice K.S. Puttaswamy (Retd.) v. Union of India*, the Act is ostensibly designed to operationalise the constitutional right to privacy within a digital governance ecosystem \[33\]. Its stated objective is to balance the protection of individual privacy with the legitimate needs of data processing for lawful purposes, including governance and economic activity \[34\]. At the core of the Act lies a **consent-based model** of data processing. Consent is defined as free, specific, informed, unconditional, and unambiguous, thereby aligning in form though not always in substance with global data protection norms \[35\]. The Act mandates that personal data may be processed only for lawful purposes for which the data principal has provided consent, unless a statutory exception applies. This framework reflects a shift towards individual control over personal data, recognising informational self-determination as a foundational principle. Complementing the consent model are enumerated **rights of data principals**. These include the right to access information about data processing, the right to correction and erasure of personal data, the right to grievance redressal, and the right to nominate another person to exercise rights in the event of incapacity or death \[36\]. Collectively, these rights aim to enhance transparency and accountability in data processing practices. However, unlike some comparative regimes, the DPDP Act does not recognise a general right to data portability or a right to object, thereby limiting the scope of individual agency. The Act also imposes **obligations on data fiduciaries**, defined as entities that determine the purpose and means of data processing. These obligations include ensuring data accuracy, implementing reasonable security safeguards, notifying data breaches, and deleting personal data once the purpose of processing is fulfilled \[37\]. Certain entities may be designated as “significant data fiduciaries” based on factors such as volume and sensitivity of data, triggering enhanced compliance requirements. Structurally, the Act establishes a Data Protection Board of India as the primary regulatory authority. While the Board is tasked with adjudication and enforcement, concerns have been raised regarding its independence, given the extent of executive control over appointments and functioning \[38\]. Thus, while the DPDP Act introduces a rights-and-duties framework consistent with modern data protection discourse, its institutional design and exception architecture warrant closer constitutional scrutiny. ## The State as Data Fiduciary A distinctive and constitutionally contentious feature of the DPDP Act is its treatment of the **State as a data fiduciary**. In principle, the Act recognises that governmental entities process vast amounts of personal data and are therefore subject to the same foundational obligations as private actors. In practice, however, the Act accords the State a privileged position through expansive exemptions and discretionary powers \[39\]. The governmental role as a data fiduciary is multifaceted. State agencies collect data for welfare delivery, regulatory compliance, taxation, public health, and national security. Such processing is often coercive rather than consensual, as access to essential services may depend on data submission. While the Act acknowledges “legitimate uses” of personal data by the State without consent, it does not consistently subject these uses to strict necessity or proportionality requirements \[40\]. This omission is significant given the Supreme Court’s insistence in *Puttaswamy* that State data collection must be narrowly tailored and procedurally safeguarded. The DPDP Act grants the Central Government broad powers to **exempt any State instrumentality** from the application of key provisions of the Act on grounds such as sovereignty, integrity of India, security of the State, and public order \[41\]. These grounds are framed in expansive terms and lack accompanying statutory criteria or oversight mechanisms. As a result, the executive enjoys wide latitude to determine the scope of its own data protection obligations, raising concerns of arbitrariness and excessive delegation. This privileged position carries profound constitutional implications. Unlike private entities, the State wields coercive power and operates within a structural imbalance vis-à-vis individuals. Consequently, comparative constitutional theory suggests that the State ought to be held to *higher*, not lower, standards of accountability in data governance \[42\]. Yet, the DPDP Act reverses this logic by subjecting private fiduciaries to detailed compliance obligations while allowing the State to opt out of core safeguards. At the same time, the Act does not impose commensurate **heightened responsibilities** on the State to justify exemptions through independent review or periodic reassessment. There is no explicit requirement for legislative approval, judicial authorisation, or proportionality analysis prior to granting exemptions. This stands in contrast to global best practices, where State surveillance and data processing are typically subject to layered oversight and transparency obligations \[43\]. In effect, the DPDP Act reflects an unresolved tension between constitutional ideals and administrative pragmatism. While it symbolically recognises the State as a data fiduciary, it substantively privileges executive convenience over constitutional restraint. This imbalance risks undermining the transformative promise of *Puttaswamy* by normalising broad State discretion in data governance. Whether courts will recalibrate this framework through constitutional interpretation remains a critical question for the future of privacy jurisprudence in India. # CONSTITUTIONAL ANALYSIS OF STATE EXEMPTIONS ## Examination of State Exemptions The Digital Personal Data Protection Act, 2023 (DPDP Act) confers broad powers upon the Central Government to exempt State instrumentalities from the application of key data protection obligations. These exemptions are primarily justified on grounds of **national security**, **public order**, and **sovereignty** \[44\]. While such grounds are not per se illegitimate in constitutional law, their formulation and operation under the Act raise serious concerns regarding overbreadth and constitutional compatibility. **National security** has historically occupied a privileged position in constitutional adjudication, often serving as a compelling State interest capable of justifying rights limitations. However, the Supreme Court has consistently held that invocations of national security cannot operate as a carte blanche for executive action \[45\]. Under the DPDP Act, exemptions on security grounds are framed in expansive and indeterminate language, without requiring a demonstrable nexus between the data processing activity and a concrete security threat. This lack of specificity risks enabling routine data collection to be retrospectively justified under the umbrella of security, thereby diluting the exceptional character that such justifications ought to possess. Similarly, **public order** is employed as a ground for exemption without adequate statutory definition. Constitutional jurisprudence distinguishes public order from broader notions of law and order, requiring a proximate and tangible threat to societal stability \[46\]. The DPDP Act, however, does not incorporate this judicially evolved distinction. In the absence of clear thresholds, the exemption risks being applied to ordinary administrative or policing functions that do not warrant intrusive data practices, undermining the proportionality framework established in *Puttaswamy* \[47\]. The invocation of **sovereignty and integrity of India** further exemplifies the breadth of executive discretion under the Act. While sovereignty is a legitimate constitutional valuemland the absence of limiting principles or procedural safeguards renders its application opaque. The exemption clauses do not mandate periodic review, independent authorisation, or post-facto accountability. Consequently, the State is effectively empowered to self-certify the necessity of its own data practices, a position incompatible with constitutional norms that require external checks on coercive power. Collectively, these exemptions reflect a legislative preference for administrative flexibility over constitutional discipline. Rather than narrowly tailoring exemptions to extraordinary circumstances, the DPDP Act embeds them as structural features of data governance. This approach risks normalising exceptionalism and eroding the constitutional status of privacy, particularly in contexts where individuals lack the capacity to meaningfully challenge State action. ## Proportionality and Due Process Concerns A central constitutional infirmity of the State exemption regime under the DPDP Act lies in its failure to meaningfully engage with the **proportionality doctrine** articulated in *Justice K.S. Puttaswamy (Retd.) v. Union of India* \[48\]. While the Act purports to operate within a rights-respecting framework, its exemption provisions do not incorporate the structured inquiry required to justify intrusions into privacy. The most significant omission is the **absence of a necessity analysis**. Proportionality requires the State to demonstrate that a rights-infringing measure is not only suitable to achieve a legitimate aim but also necessary, in the sense that no less restrictive alternative is available \[49\]. The DPDP Act does not require the executive to undertake or disclose such an analysis before granting exemptions. Nor does it limit the scope, duration, or categories of data subject to exempted processing. As a result, exemptions may authorise sweeping data collection even where targeted or anonymised measures would suffice. Equally troubling are the **procedural deficiencies** embedded in the exemption framework. Due process, as an integral component of Article 21, demands transparency, reasoned decision-making, and effective remedies \[50\]. The Act does not mandate prior judicial or independent authorisation for exemptions, nor does it provide for notice to affected individuals or opportunities for challenge. The absence of these safeguards weakens accountability and increases the risk of arbitrary or discriminatory application. Judicial precedents concerning surveillance underscore the importance of procedural safeguards in legitimising State intrusion. In cases involving telephone tapping and interception, the Supreme Court has insisted on narrowly defined procedures, oversight mechanisms, and periodic review. The DPDP Act departs from this tradition by vesting exemption powers entirely within the executive domain, without embedding comparable safeguards. Furthermore, the lack of institutional independence in oversight exacerbates due process concerns. The Data Protection Board of India, envisaged as the primary enforcement authority, operates under significant executive influence with limited jurisdiction over exempted State actions \[51\]. This institutional design constrains the availability of neutral adjudication and undermines public confidence in the data protection regime. From a constitutional perspective, the cumulative effect of these deficiencies is the dilution of privacy from an enforceable right to a contingent interest, vulnerable to executive prioritisation. Proportionality is not merely a doctrinal formula; it is a substantive guarantee that State power will be exercised rationally and minimally. By failing to internalise this guarantee, the DPDP Act risks falling short of the constitutional standards set by *Puttaswamy*. ## Rule of Law and Separation of Powers Beyond proportionality and due process, the State exemption regime under the DPDP Act raises foundational concerns relating to the **rule of law** and **separation of powers**. The Act delegates extensive authority to the executive to define the contours of its own obligations, often through subordinate legislation or executive notifications \[52\]. Such **excessive delegation** weakens parliamentary control and undermines the principle that restrictions on fundamental rights must be authorised by clear and specific legislation. The Supreme Court has repeatedly cautioned against unguided delegation, particularly where fundamental rights are implicated \[53\]. In the context of data protection, where State power intersects directly with individual autonomy, the absence of legislative standards or intelligible criteria is constitutionally problematic. The DPDP Act’s exemption provisions do not articulate substantive limits, procedural requirements, or oversight mechanisms, thereby concentrating normative power in the executive. This concentration is compounded by **weak legislative oversight**. Parliament’s role is largely confined to enacting a broad enabling framework, with minimal involvement in reviewing or approving specific exemptions. There is no requirement for periodic reporting, sunset clauses, or parliamentary scrutiny of executive actions taken under the exemption provisions. Such omissions erode democratic accountability and shift the balance of power away from representative institutions. From a rule-of-law perspective, predictability and transparency are essential. Laws governing State data collection must enable individuals to foresee the circumstances under which their data may be processed and to seek redress in cases of abuse. The DPDP Act’s exemption regime, characterised by opacity and discretion, undermines these values. Ultimately, the constitutional promise of privacy articulated in *Puttaswamy* rests on the premise that State power will be constrained by law, reason, and institutional checks. Where exemptions are framed broadly and administered unilaterally, this premise is weakened. Re-aligning the DPDP Act with rule-of-law principles requires recalibrating executive discretion, strengthening legislative oversight, and reaffirming the judiciary’s role as the final arbiter of constitutional limits. # COMPARATIVE CONSTITUTIONAL PERSPECTIVES ## European Union (GDPR) The European Union’s data protection regime, anchored in the General Data Protection Regulation (GDPR), offers a stringent constitutional and statutory framework for regulating State data collection. While the GDPR recognises that Member States may process personal data for purposes such as national security and public order, it subjects such processing to **narrow derogations** and strict conditions \[54\]. Article 23 permits limitations on data protection rights only where such restrictions are necessary and proportionate in a democratic society, and only through legislative measures that clearly specify scope, purpose, and safeguards. Crucially, EU law rejects blanket exemptions. Derogations must be precise, temporally bounded, and demonstrably linked to a legitimate aim. This approach reflects the constitutional status of data protection as a fundamental right under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union \[55\]. State discretion is therefore structured by law, not left to executive determination. **Judicial supervision** constitutes a core safeguard in the EU model. The Court of Justice of the European Union (CJEU) has consistently invalidated State surveillance measures that fail to meet proportionality standards. In *Digital Rights Ireland* and *Tele2 Sverige*, the CJEU struck down indiscriminate data retention regimes, emphasising that generalised access to personal data violates the essence of fundamental rights \[56,57\]. The Court insisted on prior judicial or independent administrative authorisation and effective remedies for individuals. This jurisprudence establishes that national security cannot be invoked to justify mass or suspicionless data collection. The EU model thus embeds constitutional discipline through a combination of narrowly framed legislative derogations and robust judicial oversight. In contrast to the Indian DPDP Act’s exemption framework, the GDPR demonstrates how State data processing can be reconciled with privacy as a constitutional right rather than subordinated to executive convenience. ## United Kingdom and United States (≈300 words) The United Kingdom and the United States offer distinct yet instructive models of surveillance oversight shaped by constitutional traditions and judicial intervention. In the United Kingdom, State surveillance is governed primarily by the Investigatory Powers Act, 2016, which consolidates interception and data retention powers while introducing layered oversight mechanisms \[58\]. Central to this framework is the “double lock” system, requiring both ministerial authorisation and independent judicial approval before intrusive surveillance measures may be undertaken. Judicial scrutiny has played a corrective role in shaping UK surveillance law. Domestic courts, influenced by European human rights jurisprudence, have required clarity, necessity, and proportionality in surveillance authorisations \[59\]. Independent oversight bodies, including judicial commissioners and parliamentary committees, further contribute to accountability, ensuring that executive discretion is subject to continuous review. In the United States, constitutional protection against unreasonable searches and seizures under the Fourth Amendment provides the primary safeguard against State surveillance. Although national security surveillance has historically enjoyed deference, recent jurisprudence reflects growing concern about digital privacy. In *Carpenter v. United States*, the Supreme Court recognised that long-term collection of cell-site location data constitutes a search requiring judicial warrant, acknowledging that digital data aggregation fundamentally alters privacy expectations \[60\]. Oversight mechanisms in the US include specialised courts, such as the Foreign Intelligence Surveillance Court, congressional intelligence committees, and statutory reporting obligations \[61\]. While critiques persist regarding secrecy and executive dominance, these institutional checks underscore the principle that surveillance powers must be constrained by law and review. Both jurisdictions illustrate that even where national security is prioritised, constitutional democracies insist on **procedural safeguards, independent authorisation, and accountability mechanisms** features largely absent from India’s current exemption regime. ## Lessons for India Comparative constitutional practice yields clear lessons for India’s data protection framework. First, State exemptions must be **narrowly tailored**, grounded in precise legislative criteria rather than broad executive discretion. Secondly, **judicial or independent prior authorisation** is essential to legitimise intrusive data practices and prevent abuse. Thirdly, effective remedies and transparency mechanisms strengthen public trust and constitutional accountability. The Indian Constitution, as interpreted in *Puttaswamy*, already embraces proportionality and rule-of-law constraints. Aligning the DPDP Act with these principles requires recalibrating State exemptions to mirror global best practices. Rather than treating privacy as subordinate to governance imperatives, Indian law must recognise that constitutional democracy is sustained precisely by limiting State power even, and especially, in the digital age. # IMPLICATIONS FOR CONSTITUTIONAL GOVERNANCE ## Liberties and Democratic Accountability The architecture of State data collection under the Digital Personal Data Protection Act, 2023 has far-reaching implications for civil liberties and democratic accountability. Privacy, as recognised in *Justice K.S. Puttaswamy (Retd.) v. Union of India*, is not an isolated individual entitlement but a structural condition for the meaningful exercise of other fundamental freedoms, including speech, association, and political participation \[62\]. Where State data practices operate under expansive exemptions and limited oversight, these freedoms are rendered vulnerable. Pervasive data collection produces a **chilling effect** on civil liberties. When individuals are aware or reasonably apprehensive that their communications, movements, or digital interactions may be monitored or aggregated by the State, they are less likely to engage in dissent, organise collectively, or express unpopular opinions \[63\]. Such self-censorship undermines the deliberative foundations of a democratic polity. In this sense, privacy erosion operates indirectly but powerfully, reshaping citizen behaviour in ways that escape immediate legal scrutiny. Democratic accountability is further weakened when data governance is characterised by opacity. Broad executive exemptions reduce transparency regarding the purposes, scope, and duration of State data processing. Without access to information or meaningful avenues of challenge, citizens are deprived of the capacity to hold public authorities accountable for rights-infringing practices \[64\]. This asymmetry of information exacerbates the imbalance of power inherent in State–citizen relations. Moreover, the normalisation of data-driven governance risks entrenching **technocratic decision-making** insulated from public debate. Algorithmic systems and large databases often operate beyond the comprehension of affected individuals, limiting participatory oversight. When coupled with weak legislative scrutiny, such practices shift governance away from democratic contestation towards executive administration \[65\]. From a constitutional perspective, this trend conflicts with the principle that all exercises of public power must remain accountable to the people through representative institutions. Thus, the DPDP Act’s approach to State exemptions has implications extending beyond privacy doctrine. It affects the vitality of civil liberties and the health of democratic accountability, reinforcing the need for constitutional recalibration. ## Judicial Review and Institutional Safeguards In light of these implications, **judicial review and institutional safeguards** assume heightened constitutional importance. The Supreme Court in *Puttaswamy* underscored the judiciary’s role as the guardian of fundamental rights in an era of technological governance \[62\]. Where legislative frameworks confer broad discretion on the executive, courts serve as a critical counterbalance, ensuring that State action conforms to constitutional standards of legality, proportionality, and reasonableness. Judicial review provides an avenue to scrutinise the invocation of State exemptions and to assess whether claims of national security or public order satisfy constitutional thresholds. Past surveillance jurisprudence demonstrates that courts are capable of imposing procedural safeguards, narrowing executive discretion, and mandating oversight mechanisms \[66\]. However, ex post facto judicial intervention, while necessary, is not a substitute for robust institutional design. Effective constitutional governance requires **ex ante safeguards** embedded within statutory frameworks. Independent oversight bodies, transparent authorisation procedures, and periodic review mechanisms reduce reliance on litigation as the primary means of accountability. In the Indian context, the limited autonomy of the Data Protection Board of India constrains its capacity to function as an effective check on State data practices \[67\]. Strengthening institutional independence would align data governance with rule-of-law principles. Ultimately, judicial review and institutional safeguards must operate synergistically. Courts can articulate constitutional limits, but sustained protection of privacy and civil liberties depends on institutions designed to internalise those limits in everyday governance. Without such mechanisms, the constitutional promise of privacy risks erosion through incremental and normalised State practices. # RECOMMENDATIONS AND WAY FORWARD ## Legislative Reforms A principled recalibration of the Digital Personal Data Protection Act, 2023 (DPDP Act) is necessary to realign statutory design with constitutional commitments articulated in *Justice K.S. Puttaswamy (Retd.) v. Union of India* \[68\]. First, **State exemptions must be narrowed and precisely defined**. Grounds such as national security, public order, and sovereignty should be accompanied by statutory criteria that require a demonstrable nexus between the data practice and a specific, imminent threat. Open-ended formulations should be replaced with **purpose-limited, time-bound exemptions** subject to periodic review. Secondly, the Act should **codify proportionality** within its exemption architecture. This entails a mandatory necessity assessment recorded in writing demonstrating why less intrusive alternatives are inadequate. Sunset clauses and data minimisation requirements should apply by default, with extensions requiring renewed justification. Such internalisation of proportionality would convert constitutional doctrine into operational law \[69\]. Thirdly, **procedural due process** must be strengthened. Prior authorisation by an independent authority (judicial or quasi-judicial) should be required for intrusive State data practices. Affected individuals should have access to notice (where compatible with the purpose), post-facto disclosure, and effective remedies. Finally, Parliament should mandate **regular reporting** on the use of exemptions, enabling democratic scrutiny and preventing the normalisation of exceptional measures \[70\]. ## Strengthening Oversight Institutions Legislative reform must be complemented by robust **institutional oversight**. The Data Protection Board of India should be reconstituted to ensure **functional independence** from the executive, including transparent appointments, security of tenure, and budgetary autonomy \[71\]. Its jurisdiction should explicitly extend to reviewing the legality and proportionality of State exemptions, not merely private-sector compliance. In addition, India would benefit from a **multi-layered oversight model**. Parliamentary committees with technical expertise should review exemption usage, while independent auditors conduct periodic compliance assessments. For surveillance-related data processing, a **prior authorisation regime** with judicial or independent approval would align practice with constitutional expectations and comparative best practices \[72\]. Transparency mechanisms are equally vital. Aggregate disclosures, impact assessments, and public-facing reports (subject to narrowly tailored confidentiality) can enhance trust without compromising legitimate State interests. Together, these measures would embed accountability ex ante, reducing reliance on ex post litigation and strengthening the rule of law. ## Rights-Centric Digital Governance Beyond institutional fixes, India must embrace a **rights-centric model of digital governance**. Privacy should be treated as an enabling condition for dignity, autonomy, and democratic participation not as a regulatory obstacle \[68\]. This requires mainstreaming **privacy-by-design** across government systems, adopting default data minimisation, and ensuring algorithmic transparency where automated decision-making affects rights and entitlements \[73\]. Equally important is **public participation**. Consultative rule-making, accessible grievance mechanisms, and digital literacy initiatives can democratise data governance and empower individuals. By aligning technological innovation with constitutional values, India can pursue effective governance without sacrificing fundamental rights realising the transformative promise of *Puttaswamy* in the digital age. # CONCLUSIONS The recognition of privacy as a fundamental right in *Justice K.S. Puttaswamy (Retd.) v. Union of India* marked a constitutional watershed, recalibrating the balance between individual liberty and State power in the digital age \[74\]. This judgment established privacy not as a residual or contingent interest, but as a structural constitutional guarantee grounded in dignity, autonomy, and democratic participation. As this paper has demonstrated, *Puttaswamy* must continue to operate as the **constitutional benchmark** against which all regimes of State data collection are assessed. Its insistence on legality, necessity, proportionality, and procedural safeguards provides a principled framework capable of accommodating legitimate governance objectives without sacrificing fundamental rights. Measured against this benchmark, the Digital Personal Data Protection Act, 2023 reflects a mixed constitutional legacy. On the one hand, the Act introduces a long-overdue statutory architecture for personal data protection, articulating rights of data principals and obligations of data fiduciaries. On the other hand, its expansive State exemptions and discretionary architecture risk **de-centering privacy** precisely where constitutional protection is most needed. The exemption regime, framed in broad terms and administered predominantly by the executive, departs from the proportionality and due process requirements articulated in *Puttaswamy* and subsequent jurisprudence \[75\]. This misalignment underscores the need to **re-align the DPDP Act with privacy jurisprudence**, not merely in rhetoric but in institutional design and operational safeguards. Re-alignment requires more than incremental adjustments. It calls for embedding proportionality within the statute, narrowing exemptions through precise legislative criteria, and strengthening independent oversight mechanisms. Comparative constitutional practice demonstrates that democratic states can pursue security and welfare objectives while maintaining robust judicial supervision and accountability \[76\]. India’s constitutional framework already supplies the normative tools to achieve this balance; what remains is the political and institutional will to internalise them within data governance. The **long-term constitutional implications** of the current trajectory are significant. If broad State discretion in data processing becomes normalised, privacy risks erosion through incremental, routinised practices rather than overt violations. Such erosion would have cascading effects on civil liberties, democratic accountability, and the separation of powers. Conversely, recalibrating data protection law in fidelity to *Puttaswamy* can strengthen constitutional culture, reaffirming the rule of law in an era of rapid technological change. Ultimately, the future of privacy in India will be shaped not only by judicial pronouncements but by the everyday operation of statutes and institutions. Treating privacy as an enabling condition for democratic governance rather than an obstacle to administrative efficiency offers a sustainable path forward. By reaffirming *Puttaswamy* as the constitutional compass and re-aligning the DPDP Act accordingly, India can demonstrate that effective governance and constitutional fidelity are mutually reinforcing, even in the most data-intensive domains of the modern State.

Generating HTML Viewer...